Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Sparrowvsrevolution (1926150) writes "Eighteen brands of security camera digital video recorders are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company's firewall, according to tests by two security researchers. And 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, are accessible via the Internet.

Early last week a hacker who uses the handle someLuser found that commands sent to a Swann DVR via port 9000 were accepted without any authentication. That trick would allow anyone to retrieve the login credentials for the DVR's web-based control panel. To compound the problem, the DVRs automatically make themselves visible to external connections using a protocol known as Universal Plug And Play, (UPNP) which maps the devices' location to any local router that has UPNP enabled--a common default setting. That feature, designed to allow users to remotely access their video files via remote PC or phone, effectively cuts a hole in any firewall that would expose the device to attackers, too. And security researcher H.D. Moore has been able to show that the flawed architecture isn't just used Swann, but instead effects every company that uses Ray Sharp's firmware. Neither Ray Sharp nor any of the eighteen firms have yet released a firmware fix."Link to Original Source